Second – My thoughts on who should consider participating in the S4 ICS CTF.

A person with hacking skills, but little experience in ICS. The flags will give you guidance on what an attacker would actually try to do once they can get to an ICS.

A person responsible for defending an ICS. Even if you just spend time understanding the flags you will learn many of the end goals and techniques that will be used against your ICS if an attacker can gain access to it.

A person with great ICS hacking skills. You will find this a challenge and perhaps you can win the S4 Black Badge.

Third – Some tips from Reid for CTF participants:

A successful team will need a variety of skills, including the ability to analyze industrial controls, to basic network scanning, to lockpicking, as well as solving more traditional CTF problems.

Some challenges are purely control systems focused, such as identifying configuration items in controllers or analyzing oddities in ICS protocols. Some of these control systems challenges will have a cyberphysical element — as teams solve the problems, they may want to watch process control equipment to see how their finding helped attack a process. A few of these will involve ICS Foreverday vulnerabilities.

Other challenges involve incident response: analyzing traffic from compromised systems. Bring your traffic analysis hats for these. We even have RF analysis flags. We will have a handful of SDR receivers and will provide hints for how to search for these flags; players want to familiarize themselves with the RTL-SDR prior to coming.

OSIsoft is back again as a S4xCTF sponsor, and they are bringing back Killer Robots, Inc. with new and unsolved flags from last year. Enter Harry Paul of OSIsoft to give you some information and hints to help you get some of the PI System related flags in the S4x17 CTF.

The S4x17 Killer Robots CTF environment is designed to be an interactive, fun source of industrial security challenges. After all, CTF is a great way to explore and defeat ‘forever’ day configuration issues. This year the OSIsoft team has improved and expanded the PI System environment, planting flags inspired by case studies, new security features and threat models.

Below we have a summary of the PI challenges from last year. OSIsoft provided 11 of the 43 total flags for the competition. There were 5 flags left standing at the end of the competition and 4 flags that were only solved by one team. The most successful competitor captured 450 of the possible 2025 points from the PI challenges.

Flag

1

2

3

4

5

6

7

8

9

10

11

Points

25

50

100

100

125

50

125

300

300

500

400

Successes

16

6

1

1

1

1

0

0

0

0

0

Reviewing the logs in our environment revealed that many teams did perform reconnaissance, but did not progress. Perhaps the low success rate of the competitors has gone to our heads, so this year we are upping the ante. The first (if any) team that captures the mysterious, illustrious “Golden PI” flag, will win the opportunity to deliver ~3.14 pies to the faces of the OSIsoft security advisory team in attendance. You heard right, this is your opportunity to exact sweet revenge on a vendor!

Want to learn more? Every Wednesday in December we’ll give an inside look at the CTF environment on the PI Square Security Forum, providing background and perhaps even a few hints along the way. Search for the S4x17 tag to get all posts related to the event.

We have been preparing some new and interesting challenges for the S4 CTF this year, and I think that players will have a lot of fun with what we have in the works. We have a number of nice challenges that involve breaking and entering into our ‘Killer Robot Factory’ (players from last year’s CTF may remember a few flags associated with the poor Killer Robots — for all of the pain that they cause humanity, they don’t secure their network very well).

One of last year’s challenges was to find the product order code for a feeder management relay. This relay was used to control a breaker that could disconnect the poor Killer Robots from their electric mains.

While we have a few SEL-751As in our test lab, we though that putting one in harm’s way for the CTF might be a bit of a stretch. Even ‘good’ industrial equipment such as that made by SEL tends not to deal very well with many simultaneous users. That, and if people messed with the equipment, it could be a pain to restore to working condition.

Instead, we built a SEL emulator (or honeypot) in Python using the cmd2 library. The emulator is kind-of-sort-of good, and provides a sort-of-realistic simulation of an SEL relay — enough to trick CTF players, anyway.

A common problem that occurs when you provide an environment or playground is that the sheer number of choices is overwhelming. Providing a network full of PLCs, Historians, and other ICS equipment often results in an interested participant not actually participating at all because there’s no good place to start or no clear path through the petting zoo.

This year at the S4 we are taking a more directed approach. We want all attendees to have clear goals and clear payoffs to exploring and exploiting new technologies and problems. We’re ramping up the CTF this year and making it the primary focus of what was previously called the “ICS Village.” At S4x16 we will have a full-scale professional-grade jeopardy-style ICS-oriented Capture-the-Flag event.

For those unfamiliar with jeopardy-style CTF events: rather than a fully connected network of corporate systems, an ICS DMZ, a control center zone, firewalls, etc. we will have a set of distinct and discrete challenges to be solved within a set of categories. This method is how virtually all CTFs are organized (e.g. DEF CON, CSAW, PPP). We feel it provides a clear and easy path for participants with frequent rewards to encourage diving further. It also makes the logistics and infrastructure easier which means we can facilitate more participants and more complicated and interesting challenges.

Digital Bond, with the help of many excellent volunteers, has worked hard to create an interesting CTF full of ICS challenges that is sure to test everyone from the ICS Novice to the most seasoned PLC Pwning Wizards. Look for a future post revealing categories and other interesting tidbits related to the challenges themselves. The CTF will run the entire length of the conference and a live scoreboard will be projected at the venue to monitor the excitement.

Be sure to register soon for discounted pricing and before all of the spots are taken. The speaker lineup is fantastic but the CTF is going to be amazing (O.K. maybe I’m biased). Thanks to the volunteers and sponsors who have helped create the new and improved S4 CTF. Come on and get your hack on!

The Capture The Flag (CTF) contest in the ICS Village at S4x15 was a big hit. We have had numerous requests from attendees and those that heard about it for more information and data. So Stephen has put together a page of information. The page includes:

Examples of flags in each of the five categories

Packet captures with ICS protocol and attack data (the most requested item)

Screenshots of detected data and the scoreboard

Pictures from the ICS Village

An explanation of the event

You may also want to watch an interview with the team that won the CTF.

Great job by Stephen and the team of volunteers who put the CTF together and kept it running under three days of attacks. It puts a lot of pressure on the team to make it bigger and better for S4x16.

Stephen had an article yesterday on the ICS Village / Capture The Flag (CTF) competition at S4x15. We also will be putting up a page with more info on the flags, techniques and pcaps in the next week. In the meantime, check out the interview with the winning team.

The Classic S4 Cocktail Party on Wednesday had an area where you could try piloting a drone. There was a larger drone overhead recording the party on the Kovens deck.

Finally, the SCADA Diva mantle has been passed from S4x14 winner Ronnie Fabela to the new SCADA Diva … Chris Sistrunk. He was awarded the ceremonial pink hard hat and all of the other perks that come with the office. Bonus points are awarded for on-site pictures with the hard hat. Of course based on long standing tradition, Chris will select the next SCADA Diva at S4x16.

This year at S4x15, Digital Bond set out to create an ICS Capture The Flag, or CTF. Flags were created to simulate real world situations that an attacker would encounter if he targeted an ICS. By the end of the CTF, there were over 30 teams playing. Most of the teams consisted of a single player, however the top scoring teams had multiple team members.

An example of an easy (100 point) and more general forensics flag was to identify the potentially infected machine on the Corporate Zone. To do this you needed to visit the GigaView TAP Aggregation Switch that Digital Bond had placed within the ICS Village. (A big thanks to Liam Randall at Critical Stack for providing this for our use in the ICS Village.) Once you collected some traffic, you needed to find a host that was trying to perform a DNS lookup of a known malicious site.

Two more flags were related to this infection inside of the Forensics section of the CTF scoreboard. Below is the traffic you would be looking for and once you found this traffic, the host name was the flag

Another flag that had good feedback from contestants required reading values from a PLC on the network. There were two flags hidden in the Holding Registers of a Modicon PLC. The first one was found in Holding Registers 23 to 33. These values were stored in these registers were decimal representation of ASCII Characters. Depending on the tool you were using this could take some work on converting the numbers found in the registers to ASCII; however, some Modbus Scanners would convert this right out of the box which made it easier for some.

In the same Modicon PLC, there was a flag that consisted of a series of Boolean registers that one needed to convert the binary 1’s and 0’s into ASCII. This flag was rewarded with a higher point value than the other Modbus read flag, as it took more time to concatenate the information back together and convert it to ASCII. Below shows a screenshot of the Holding Registers that were configured with the some of the Boolean values that made up the flag.

A BACnet Flag was hidden inside of an actual BACnet device and could be found on the Internet. There were many different techniques teams used to capture this flag. Some teams downloaded and tried multiple tools, while other teams attempted to modify Digital Bond’s Redpoint script to collect more information to find the Flag. In this case, the Flag was found within the Object Name of an Analog Input inside of the BACnet controller. The Flag is shown below; to find this Flag you would have to read the descriptions of the analog points to know that this Object name was the proper string for the flag.

One Flag (1000 points) proved to be quite difficult, and only one team was able to capture it. This flag was the only 1000 point flag that was found without bending the rules (looking at you team Foobar), and was in the Forensics category. This flag involved using some reverse engineering skills as well as a few hints that were handed out by the judges during the CTF. On the FTP Server in the Corporate zone, there was a Firmware file in a .hex format. In this case, it was a SREC format file. After the team was able to dissemble the file, they were left with assembly code. It was no small task running though the code to find the flag as the flag was hidden inside of an add instruction as shown below. The hex value 0x4841434b then converts to HACK which was the flag.

At the end of the S4x15 CTF, 10 of the 42 Flags were not captured. This is not unusual for a CTF. Out of the remaining flags, some of them were focused around 0-days inside of the ICS based products that were inside of the ICS Village CTF Network. However some of the flags were just overlooked and the judges didn’t give out hints to those flags. Here is the final scoreboard as we shut down the flag submissions:

Over three days the CTF changed leaders a few times with a final result of a team made of Swedes and one Canadian won. Team Foobar won with a final score of 11200 points. The top 10 teams (of which there is single player teams) are as follows:

A big thank you to our sponsors Cisco and mGuard, as well as Checkpoint and Belden for providing hardware for the ICS Village. Without their help, the ICS Village CTF would not have gotten where it did this year. Once again, thanks to all those who played, and we look forward to once again improving the ICS Village next year.

Dale's Tweets

About Us

Digital Bond was founded in 1998 and performed our first control system security assessment in the year 2000. Over the last sixteen years we have helped many asset owners and vendors improve the security and reliability of their ICS, and our S4 events are an opportunity for technical experts and thought leaders to connect and move the ICS community forward.